GLOBALSIGN CERTIFICATE POLICY - DATE: MARCH 30, 2021
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
CA Digitally signed by CA Governance Governance Policy Authority Policy Date: 2021.04.29 Authority 15:51:07 +02'00' GlobalSign Certificate Policy Date: March 30, 2021 Effective date for Qualified Timestamping, Qualified Web Authentication Certificates, Qualified Certificates for Electronic Signatures and Qualified Certificates for Electronic Seals: {normal date + 2 weeks} Version: v6.7
Table of Contents TABLE OF CONTENTS ................................................................................................................................ 2 DOCUMENT HISTORY ............................................................................................................................... 8 ACKNOWLEDGMENTS .............................................................................................................................10 1.0 INTRODUCTION ...........................................................................................................................11 1.1 OVERVIEW ........................................................................................................................................ 12 Certificate Naming ................................................................................................................. 13 Additional requirements for Trusted Root Issuer CAs ............................................................ 15 1.2 DOCUMENT NAME AND IDENTIFICATION ................................................................................................. 16 1.3 PKI PARTICIPANTS .............................................................................................................................. 22 Certification Authorities (“Issuer CAs”) .................................................................................. 22 Registration Authorities ......................................................................................................... 22 Subscribers ............................................................................................................................. 23 Relying Parties ....................................................................................................................... 24 Other Participants .................................................................................................................. 24 1.4 CERTIFICATE USAGE ............................................................................................................................ 24 Appropriate Certificate Usage ............................................................................................... 24 Prohibited Certificate Usage .................................................................................................. 24 1.5 POLICY ADMINISTRATION ..................................................................................................................... 25 Organization Administering the Document ........................................................................... 25 Contact Person ....................................................................................................................... 25 Person Determining CP Suitability for the Policy ................................................................... 25 CP Approval Procedures ......................................................................................................... 26 1.6 DEFINITIONS AND ACRONYMS ............................................................................................................... 26 2.0 PUBLICATION AND REPOSITORY RESPONSIBILITIES .....................................................................35 2.1 REPOSITORIES .................................................................................................................................... 35 2.2 PUBLICATION OF CERTIFICATE INFORMATION ........................................................................................... 35 2.3 TIME OR FREQUENCY OF PUBLICATION.................................................................................................... 35 2.4 ACCESS CONTROLS ON REPOSITORIES ..................................................................................................... 35 3.0 IDENTIFICATION AND AUTHENTICATION .....................................................................................35 3.1 NAMING ........................................................................................................................................... 36 Types of Names...................................................................................................................... 36 Need for Names to be Meaningful ........................................................................................ 36 Anonymity or Pseudonymity of Subscribers ........................................................................... 36 Rules for Interpreting Various Name Forms .......................................................................... 36 Uniqueness of Names ............................................................................................................ 36 Recognition, Authentication, and Role of Trademarks .......................................................... 36 3.2 INITIAL IDENTITY VALIDATION................................................................................................................ 36 Method to Prove Possession of Private Key ........................................................................... 36 Authentication of Organization Identity ................................................................................ 36 Authentication of Individual identity ..................................................................................... 38 Non-Verified Subscriber Information ..................................................................................... 42 Validation of Authority .......................................................................................................... 42 Criteria for Interoperation ..................................................................................................... 44 Authentication of Domain Name ........................................................................................... 44 Authentication of Email addresses ........................................................................................ 44 3.3 IDENTIFICATION AND AUTHENTICATION FOR RE-KEY REQUESTS.................................................................... 44 Identification and Authentication for Routine Re-key ........................................................... 44 Identification and Authentication for Reissuance after Revocation ...................................... 45 Re-verification and Revalidation of Identity When Certificate Information Changes ............ 45 Identification and Authentication for Re-key After Revocation ............................................. 45 GlobalSign CP (Certificate Policy) 2 of 81 Version: 6.7
3.4 IDENTIFICATION AND AUTHENTICATION FOR REVOCATION REQUEST ............................................................. 45 4.0 CERTIFICATE LIFE CYCLE OPERATIONAL REQUIREMENTS .............................................................46 4.1 CERTIFICATE APPLICATION .................................................................................................................... 46 Who Can Submit a Certificate Application ............................................................................. 46 Enrollment Process and Responsibilities ................................................................................ 46 4.2 CERTIFICATE APPLICATION PROCESSING .................................................................................................. 46 Performing Identification and Authentication Functions ....................................................... 46 Approval or Rejection of Certificate Applications .................................................................. 46 Time to Process Certificate Applications ................................................................................ 46 4.3 CERTIFICATE ISSUANCE ........................................................................................................................ 47 CA Actions during Certificate Issuance .................................................................................. 47 Notifications to Subscriber by the CA of Issuance of Certificate ............................................ 47 Notification to North American Energy Standards Board (NAESB) Subscribers by the CA of Issuance of Certificate ........................................................................................................................... 47 4.4 CERTIFICATE ACCEPTANCE .................................................................................................................... 47 Conduct Constituting Certificate Acceptance ........................................................................ 47 Publication of the Certificate by the CA ................................................................................. 47 Notification of Certificate Issuance by the CA to Other Entities ............................................ 47 4.5 KEY PAIR AND CERTIFICATE USAGE......................................................................................................... 47 Subscriber Private Key and Certificate Usage ........................................................................ 47 Relying Party Public Key and Certificate Usage ..................................................................... 48 4.6 CERTIFICATE RENEWAL ........................................................................................................................ 48 Circumstances for Certificate Renewal .................................................................................. 48 Who May Request Renewal ................................................................................................... 48 Processing Certificate Renewal Requests .............................................................................. 48 Notification of New Certificate Issuance to Subscriber .......................................................... 48 Conduct Constituting Acceptance of a Renewal Certificate ................................................... 48 Publication of the Renewal Certificate by the CA .................................................................. 48 Notification of Certificate Issuance by the CA to Other Entities ............................................ 48 4.7 CERTIFICATE RE-KEY ........................................................................................................................... 48 Circumstances for Certificate Re-Key ..................................................................................... 48 Who May Request Certification of a New Public Key ............................................................ 49 Processing Certificate Re-Keying Requests ............................................................................ 49 Notification of New Certificate Issuance to Subscriber .......................................................... 49 Conduct Constituting Acceptance of a Re-Keyed Certificate ................................................. 49 Publication of the Re-Keyed Certificate by the CA ................................................................. 49 Notification of Certificate Issuance by the CA to Other Entities ............................................ 49 4.8 CERTIFICATE MODIFICATION ................................................................................................................. 49 Circumstances for Certificate Modification ........................................................................... 49 Who May Request Certificate Modification........................................................................... 49 Processing Certificate Modification Requests ........................................................................ 49 Notification of New Certificate Issuance to Subscriber .......................................................... 50 Conduct Constituting Acceptance of Modified Certificate ..................................................... 50 Publication of the Modified Certificate by the CA .................................................................. 50 Notification of Certificate Issuance by the CA to Other Entities ............................................ 50 4.9 CERTIFICATE REVOCATION AND SUSPENSION ............................................................................................ 50 Circumstances for Revocation ............................................................................................... 50 Who Can Request Revocation ................................................................................................ 52 Procedure for Revocation Request ......................................................................................... 52 Revocation Request Grace Period .......................................................................................... 53 Time Within Which CA Must Process the Revocation Request .............................................. 53 Revocation Checking Requirements for Relying Parties ........................................................ 53 CRL Issuance Frequency ......................................................................................................... 53 Maximum Latency for CRLs ................................................................................................... 54 On-Line Revocation/Status Checking Availability .................................................................. 54 On-Line Revocation Checking Requirements ......................................................................... 54 GlobalSign CP (Certificate Policy) 3 of 81 Version: 6.7
Other Forms of Revocation Advertisements Available .......................................................... 54 Special Requirements Related to Key Compromise ............................................................... 54 Circumstances for Suspension ............................................................................................... 55 Who Can Request Suspension ................................................................................................ 55 Procedure for Suspension Request......................................................................................... 55 Limits on Suspension Period .................................................................................................. 55 4.10 CERTIFICATE STATUS SERVICES .............................................................................................................. 55 Operational Characteristics ................................................................................................... 55 Service Availability ................................................................................................................. 55 Operational Features ............................................................................................................. 55 4.11 END OF SUBSCRIPTION......................................................................................................................... 55 4.12 KEY ESCROW AND RECOVERY ................................................................................................................ 56 Key Escrow and Recovery Policy and Practices ...................................................................... 56 Session Key Encapsulation and Recovery Policy and Practices .............................................. 56 5.0 FACILITY, MANAGEMENT, AND OPERATIONAL CONTROLS ..........................................................56 5.1 PHYSICAL CONTROLS ........................................................................................................................... 56 Site Location and Construction .............................................................................................. 56 Physical Access....................................................................................................................... 56 Power and Air Conditioning ................................................................................................... 56 Water Exposures .................................................................................................................... 56 Fire Prevention and Protection .............................................................................................. 56 Media Storage ....................................................................................................................... 56 Waste Disposal ...................................................................................................................... 56 Off-Site Backup ...................................................................................................................... 57 5.2 PROCEDURAL CONTROLS ...................................................................................................................... 57 Trusted Roles ......................................................................................................................... 57 Number of Persons Required per Task ................................................................................... 57 Identification and Authentication for Each Role .................................................................... 57 Roles Requiring Separation of Duties..................................................................................... 57 5.3 PERSONNEL CONTROLS ........................................................................................................................ 58 Qualifications, Experience, and Clearance Requirements...................................................... 58 Background Check Procedures ............................................................................................... 58 Training Requirements........................................................................................................... 58 Retraining Frequency and Requirements ............................................................................... 58 Job Rotation Frequency and Sequence .................................................................................. 59 Sanctions for Unauthorized Actions ....................................................................................... 59 Independent Contractor Requirements ................................................................................. 59 Documentation Supplied to Personnel................................................................................... 59 5.4 AUDIT LOGGING PROCEDURES .............................................................................................................. 59 Types of Events Recorded ...................................................................................................... 59 Frequency of Processing Log .................................................................................................. 60 Retention Period for Audit Log .............................................................................................. 60 Protection of Audit Log .......................................................................................................... 60 Audit Log Backup Procedures ................................................................................................ 60 Audit Collection System ......................................................................................................... 60 Notification to Event-Causing Subject ................................................................................... 60 Vulnerability Assessments ..................................................................................................... 60 5.5 RECORDS ARCHIVAL ............................................................................................................................ 61 Types of Records Archived ..................................................................................................... 61 Retention Period for Archive .................................................................................................. 61 Protection of Archive ............................................................................................................. 61 Archive Backup Procedures .................................................................................................... 61 Requirements for Timestamping of Records .......................................................................... 61 Archive Collection System (Internal or External) .................................................................... 61 Procedures to Obtain and Verify Archive Information ........................................................... 61 5.6 KEY CHANGEOVER .............................................................................................................................. 61 GlobalSign CP (Certificate Policy) 4 of 81 Version: 6.7
5.7 COMPROMISE AND DISASTER RECOVERY ................................................................................................. 61 Incident and Compromise Handling Procedures .................................................................... 61 Computing Resources, Software, and/or Data Are Corrupted ............................................... 62 Issuing CA Private Key Compromise Procedures .................................................................... 62 Business Continuity Capabilities After a Disaster .................................................................. 62 5.8 CA OR RA TERMINATION ..................................................................................................................... 62 Successor Issuing Certification Authority ............................................................................... 63 6.0 TECHNICAL SECURITY CONTROLS.................................................................................................63 6.1 KEY PAIR GENERATION AND INSTALLATION .............................................................................................. 63 Key Pair Generation ............................................................................................................... 63 Private Key Delivery to Subscriber ......................................................................................... 63 Public Key Delivery to Certificate Issuer ................................................................................. 64 CA Public Key Delivery to Relying Parties ............................................................................... 64 Key Sizes................................................................................................................................. 64 Public Key Parameters Generation and Quality Checking ..................................................... 64 Key Usage Purposes (as per X.509 v3 Key Usage Field) ......................................................... 64 6.2 PRIVATE KEY PROTECTION AND CRYPTOGRAPHIC MODULE ENGINEERING CONTROLS ....................................... 64 Cryptographic Module Standards and Controls ..................................................................... 64 Private Key (n out of m) Multi-Person Control ....................................................................... 65 Private Key Escrow ................................................................................................................. 65 Private Key Backup ................................................................................................................ 65 Private Key Archival ............................................................................................................... 65 Private Key Transfer into or from a Cryptographic Module ................................................... 65 Private Key Storage on Cryptographic Module ...................................................................... 65 Method of Activating Private Key .......................................................................................... 65 Method of Deactivating Private Key ...................................................................................... 65 Method of Destroying Private Key ......................................................................................... 65 Cryptographic Module Rating ................................................................................................ 65 6.3 OTHER ASPECTS OF KEY PAIR MANAGEMENT........................................................................................... 66 Public Key Archival ................................................................................................................. 66 Certificate Operational Periods and Key Pair Usage Periods ................................................. 66 6.4 ACTIVATION DATA .............................................................................................................................. 66 Activation Data Generation and Installation ......................................................................... 66 Activation Data Protection .................................................................................................... 66 Other Aspects of Activation Data .......................................................................................... 67 6.5 COMPUTER SECURITY CONTROLS ........................................................................................................... 67 Specific Computer Security Technical Requirements ............................................................. 67 Computer Security Rating ...................................................................................................... 67 6.6 LIFE CYCLE TECHNICAL CONTROLS .......................................................................................................... 67 System Development Controls ............................................................................................... 67 Security Management Controls ............................................................................................. 67 Life Cycle Security Controls .................................................................................................... 68 6.7 NETWORK SECURITY CONTROLS ............................................................................................................ 68 6.8 TIMESTAMPING .................................................................................................................................. 68 7.0 CERTIFICATE, CRL, AND OCSP PROFILES .......................................................................................68 7.1 CERTIFICATE PROFILE........................................................................................................................... 68 Version Number(s) ................................................................................................................. 68 Certificate Extensions ............................................................................................................ 68 Algorithm Object Identifiers .................................................................................................. 68 Name Forms........................................................................................................................... 68 Name Constraints .................................................................................................................. 69 Certificate Policy Object Identifier ......................................................................................... 69 Usage of Policy Constraints Extension ................................................................................... 69 Policy Qualifiers Syntax and Semantics ................................................................................. 69 Processing Semantics for the Critical Certificate Policies Extension ...................................... 69 GlobalSign CP (Certificate Policy) 5 of 81 Version: 6.7
Serial Numbers....................................................................................................................... 69 Special Provisions for Qualified Certificates ........................................................................... 69 7.2 CRL PROFILE ..................................................................................................................................... 70 Version Number(s) ................................................................................................................. 70 CRL and CRL Entry Extensions ................................................................................................ 70 7.3 OCSP PROFILE................................................................................................................................... 70 Version Number(s) ................................................................................................................. 70 OCSP Extensions..................................................................................................................... 70 8.0 COMPLIANCE AUDIT AND OTHER ASSESSMENTS .........................................................................70 8.1 FREQUENCY AND CIRCUMSTANCES OF ASSESSMENT .................................................................................. 70 8.2 IDENTITY/QUALIFICATIONS OF ASSESSOR ................................................................................................ 70 8.3 ASSESSOR’S RELATIONSHIP TO ASSESSED ENTITY....................................................................................... 71 8.4 TOPICS COVERED BY ASSESSMENT.......................................................................................................... 71 8.5 ACTIONS TAKEN AS A RESULT OF DEFICIENCY ........................................................................................... 71 8.6 COMMUNICATIONS OF RESULTS ............................................................................................................ 71 8.7 SELF-AUDIT ....................................................................................................................................... 71 9.0 OTHER BUSINESS AND LEGAL MATTERS ......................................................................................71 9.1 FEES................................................................................................................................................. 71 Certificate Issuance or Renewal Fees ..................................................................................... 71 Certificate Access Fees ........................................................................................................... 71 Revocation or Status Information Access Fees ...................................................................... 72 Fees for Other Services .......................................................................................................... 72 Refund Policy ......................................................................................................................... 72 9.2 FINANCIAL RESPONSIBILITY ................................................................................................................... 72 Insurance Coverage ............................................................................................................... 72 Other Assets ........................................................................................................................... 72 Insurance or Warranty Coverage for End Entities ................................................................. 72 9.3 CONFIDENTIALITY OF BUSINESS INFORMATION ......................................................................................... 72 Scope of Confidential Information ......................................................................................... 72 Information Not Within the Scope of Confidential Information ............................................ 72 Responsibility to Protect Confidential Information ................................................................ 72 9.4 PRIVACY OF PERSONAL INFORMATION .................................................................................................... 72 Privacy Plan ........................................................................................................................... 72 Information Treated as Private .............................................................................................. 72 Information Not Deemed Private........................................................................................... 73 Responsibility to Protect Private Information ........................................................................ 73 Notice and Consent to Use Private Information .................................................................... 73 Disclosure Pursuant to Judicial or Administrative Process ..................................................... 73 Other Information Disclosure Circumstances ........................................................................ 73 9.5 INTELLECTUAL PROPERTY RIGHTS ........................................................................................................... 73 9.6 REPRESENTATIONS AND WARRANTIES..................................................................................................... 73 CA Representations and Warranties ...................................................................................... 73 RA Representations and Warranties ...................................................................................... 75 Subscriber Representations and Warranties ......................................................................... 75 Relying Party Representations and Warranties ..................................................................... 77 Representations and Warranties of Other Participants......................................................... 78 9.7 DISCLAIMERS OF WARRANTIES .............................................................................................................. 78 9.8 LIMITATIONS OF LIABILITY..................................................................................................................... 78 Exclusion of Certain Elements of Damages ............................................................................ 78 9.9 INDEMNITIES ..................................................................................................................................... 78 Indemnification by an Issuer CA............................................................................................. 78 Indemnification by Subscribers .............................................................................................. 78 Indemnification by Relying Parties ........................................................................................ 78 9.10 TERM AND TERMINATION..................................................................................................................... 78 Term ....................................................................................................................................... 78 GlobalSign CP (Certificate Policy) 6 of 81 Version: 6.7
Termination ........................................................................................................................... 78 Effect of Termination and Survival......................................................................................... 79 9.11 INDIVIDUAL NOTICES AND COMMUNICATIONS WITH PARTICIPANTS .............................................................. 79 9.12 AMENDMENTS ................................................................................................................................... 79 Procedure for Amendment .................................................................................................... 79 Notification Mechanism and Period ...................................................................................... 79 Circumstances Under Which OID Must be Changed .............................................................. 79 9.13 DISPUTE RESOLUTION PROCEDURES ....................................................................................................... 79 9.14 GOVERNING LAW ............................................................................................................................... 79 9.15 COMPLIANCE WITH APPLICABLE LAW...................................................................................................... 80 9.16 MISCELLANEOUS PROVISIONS ............................................................................................................... 80 Entire Agreement ................................................................................................................... 80 Assignment ............................................................................................................................ 80 Severability ............................................................................................................................ 80 Enforcement (Attorney’s Fees and Waiver of Rights) ............................................................ 80 Force Majeure ........................................................................................................................ 80 9.17 OTHER PROVISIONS ............................................................................................................................ 80 CA Chaining Agreement ......................................................................................................... 81 PKI Infrastructure review ....................................................................................................... 81 Subscriber CA implementation .............................................................................................. 81 Ongoing requirements and audits ......................................................................................... 81 GlobalSign CP (Certificate Policy) 7 of 81 Version: 6.7
Document History Version Release Date Status & Description V4.0 03/22/12 Administrative update – Inclusion of additional WebTrust 2.0 and CA/BForum Baseline Requirements for issuance of SSL Certificates. V4.1 03/29/12 Addition of support for NAESB. V4.2 06/07/12 Additional CA/BForum Baseline Requirements support V4.3 07/01/12 Additional CA/BForum Baseline Requirements V4.4 03/15/13 Extended validity period of PersonalSign, Administrative updates. Modification to NAESB Certificates incorporating WEQ-012 v 3.0 updates V4.5 03/31/13 Statement of compliance to CA/Browser Forum Baseline Requirements, EPKI specification update V4.6 03/07/14 Administrative updates/clarifications Modified provisions to ensure compliance with CA/Browser Forum Baseline Requirements V4.7 6/25/14 Modified availability requirement and maximum process time for revocation Administrative update/clarifications V4.8 09/02/14 Modifications to enhance the description of domain validation processes, highlighted by public review. V4.9 03/05/15 Modified maximum validity period of Code Signing certificate GlobalSign’s new R6 root and readability enhancements to cover new AATL offerings V5.0 08/15/15 Policy OIDs and Publication of all of GlobalSign’s Non Constrained Subordinate CAs V5.1 05/02/16 Annual Review Modified NAESB EIR requirements to reflect non WEQ energy participants requirements V5.2 06/16/16 Adding Root R7 and R8 Certificates V5.3 08/11/16 Adding Test CA OID Reflected changes from CABF Ballot 173 Clarification on Certificate Transparency V5.4 02/02/17 Removal of Root R2 & R4; addition of code signing minimum requirements V5.5 08/07/17 Updates for AATL Digital Signing Service Added CAA record checking requirement Annual update/review to fix bugs V5.6 12/14/17 Updates related to Annual BR Self-Assessment V5.7 04/03/18 Max SSL validity set to 825 days Specified that GlobalSign no longer generates keys for SSL certificates Updates for NAESB identify requirements V5.8 06/15/18 Updates for Qualified Certificates V5.9 11/05/18 Updates to revocation timelines in accordance with CABF Ballot SC6 Made a variety of definition/acronym updates for clarification. V6 03/12/19 Updated roles requiring separation of duties Added new ICAs for AATL and Timestamping Added new Email Domain Validation methods and definitions Added new Phone Domain Validation methods and definitions Added new IoT policy OIDs V6.1 05/30/2019 Added new GlobalSign R46/E46 Root Certificates Added new Private Client Certificate Policy OID Support for Qualified Timestamping and Qualified Web Authentication Certificates GlobalSign CP (Certificate Policy) 8 of 81 Version: 6.7
Changed “re-key” definition to match WebTrust V6.2 09/25/2019 Removed reference to NAESB High Assurance certificates Removed “any other” method for IP Address approval V6.3 03/31/2020 Added non-TLS roots Updated address in section 1.5 Added more detail to AATL Individual/Organization vetting requirements Added new Timestamping Token OID Added advanced electronic signature/seal (or higher) as an alternative means to confirm authority following COVID-19 emergency Added notification period for subscribers regarding expiration of certificates Added new CABF code signing requirements V6.4 07/07/2020 Support for qualified certificates (non-QSCD) and QSCD managed by GlobalSign. Max SSL validity set to 397 days. Removed code signing certificates for individuals. Added hierarchy validation approach for eIDAS. Updates for uniqueness of Names. V6.5 30/09/2020 Disclosure of Registration / Incorporating Agency. Added S/MIME and Client Authentication certificate products and OIDs. Added revocation at GlobalSign’s discretion. Updates to revocation reasons. Removal of Root R7, R8. V6.6 29/12/2020 Updates for UK trust services Revision of revocation requirements Revision of OIDs Updates for ballots SC28, SC30, SC31, SC33 Grammatical updates, language consistency, RFCs Relying party liability for PSD2 certificates Root inclusion feedback Specification of KeyPurposeIds V6.7 30/03/2021 Updates for UK trust services Clarification on max validity Including affiliated entities Added Timestamping Root E46 Revision of OIDs, including LRA OIDs Clarified non-verified subscriber information Grammatical updates, language consistency Updates to operational periods and key pair usage periods GlobalSign CP (Certificate Policy) 9 of 81 Version: 6.7
Acknowledgments GlobalSign® and the GlobalSign Logo are registered trademarks of GMO GlobalSign K.K. GlobalSign CP (Certificate Policy) 10 of 81 Version: 6.7
1.0 Introduction This Certificate Policy (CP) applies to the products and services of GlobalSign NV/SA and affiliated entities (“GlobalSign”). Primarily, this pertains to the issuance and lifecycle management of Certificates including validity checking services. GlobalSign may also provide additional services such as timestamping. This CP may be updated from time to time as outlined in Section 1.5, Policy Administration. The latest version may be found on the GlobalSign group company repository https://www.globalsign.com/repository. (Alternative languages versions may be available to aid Relying Parties and Subscribers in their understanding of this CP, however, in the event of any inconsistency, the English version shall control). A CP is a "named set of rules that indicates the applicability of a Digital Certificate to a particular community and/or class of application with common security requirements.” This CP meets the formal requirements of Internet Engineering Task Force (IETF) RFC 3647, dated November 2003 with regard to content, layout and format (RFC 3647 obsoletes RFC 2527). An RFC issued by IETF is an authoritative source of guidance with regard to standard practices in the area of Electronic Signatures and Certificate management. While certain section titles are included in this policy according to the structure of RFC 3647, the topic may not necessarily apply to services of GlobalSign. These sections have ‘No stipulation’ appended. Where necessary, additional information is presented in subsections to the standard structure. Meeting the format requirements of RFC 3647 enhances and facilitates the mapping and interoperability with other third party CAs and provides Relying Parties with advance notice of GlobalSign’s practices and procedures. This CP aims to comply with the requirements of: • Browsers’ root programs • RFC3647, Request for Comments: 3647, Internet X.509 Public Key Infrastructure: Certificate Policy and Certification Practices Framework, Chokhani, et al, November 2003 • North American Energy Standards Board (NAESB) Accreditation Requirements for Authorized Certificate Authorities • WebTrust Principles and Criteria for Certification Authorities • WebTrust Principles and Criteria for Certification Authorities - SSL Baseline with Network Security • WebTrust Principles and Criteria for Certification Authorities - Extended Validation SSL • WebTrust Principles and Criteria for Certification Authorities – Code Signing Baseline Requirements • Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC • The Electronic Identification and Trust Services for Electronic Transactions (Amendment etc.) (EU Exit) Regulations 2019) • The Electronic Identification and Trust Services for Electronic Transactions Regulation 2016 (2016 No.696)) This CP conforms to current versions of the requirements: • CA/Browser Forum Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates (“Baseline Requirements”) • CA/Browser Forum Guidelines For The Issuance And Management Of Extended Validation Certificates (“EV Guidelines”) • CA/Browser Forum Network and Certificate System Security Requirements • CA/Browser Forum Baseline Requirements for Code Signing (“Baseline Requirements for Code Signing”) published at http://www.cabforum.org. If there is any inconsistency between this document and the Requirements above, the Requirements take precedence over this document. This CP addresses areas of policy and practice such as, but not limited to, technical requirements, security procedures, personnel and training needs, which are required to meet industry best practices for Certificate lifecycle management. This CP applies to all Certificates issued by GlobalSign CP (Certificate Policy) 11 of 81 Version: 6.7
GlobalSign including its Root Certificates and any chaining services to third party Subordinate/Issuing CAs. Root Certificates are used to manage Certificate hierarchies through the creation of one or more Subordinate CAs that may or may not be controlled directly by the same entity that manages the Root Certificate itself. This CP is applicable to the Subscriber and/or Relying Party, who uses, relies upon or attempts to rely upon certification services made available by the Certification Authority referring to this CP. The English version of this CP is the primary version. In the event of any conflict or inconsistency between the English CP and any localized or translated version, the provisions of the English version shall prevail. 1.1 Overview This CP applies to the complete GlobalSign hierarchy of GlobalSign and all Certificates that it issues either directly through its own systems or indirectly through its Trusted Root™ (Previously known as Root Sign) program including self-signed Root Certificates and Key Pairs. The purpose of this CP is to present GlobalSign’s practices and procedures in managing Root Certificates and Issuing CAs in order to demonstrate compliance with formal industry accepted accreditations such as WebTrust. Additionally, eIDAS Regulation (Regulation (EU)N910/2014) (“eIDAS”) and eIDAS (UK Legislation) and The Electronic Identification and Trust Services for Electronic Transactions Regulations 2016 (“UK eIDAS”) provide for the recognition of Electronic Signatures that are used for the purposes of authentication or nonrepudiation. In this regard, GlobalSign operates within the scope of the applicable sections of the Law when delivering its services. Trust services for the United Kingdom are operated by and provided through GMO GlobalSign LTD., an affiliate entity of GlobalSign. This CP sets out the objectives, roles, responsibilities and practices of all entities involved in the lifecycle of Certificates issued under this CP. In simple terms, a CP states “what is to be adhered to,” setting out an operational rule framework for products and services. A Certification Practice Statement (CPS) complements this CP and states, “how the Certification Authority adheres to the Certificate Policy.” A CPS provides an end user with a summary of the processes, procedures and overall prevailing conditions that the Issuing CA (i.e. the entity which provides the Subscriber its Certificate) will use in creating and managing such Certificates. Likewise, GlobalSign Trusted Root Subscribers who themselves become an Issuing CA maintain their own Certificate Practice Statement applicable to products and services they offer. In addition to this CP and the CPS, GlobalSign maintains additional documented policies which address such issues as: • Business continuity and disaster recovery • Security policy • Personnel policies • Key management policies • Registration procedures Additionally, other relevant documents include: • The GlobalSign Warranty Policy that addresses issues on insurance; • The GlobalSign Privacy Policy on the protection of personal data; and • The GlobalSign Certification Practice Statement that addresses the methods and rules by which Certificates are delivered for the domain of the GlobalSign top roots. All applicable GlobalSign policies are subject to audit by authorised third parties which GlobalSign highlights on its public facing web site via a WebTrust Seal of Assurance. Additional information can be made available upon request. GlobalSign CP (Certificate Policy) 12 of 81 Version: 6.7
Certificate Naming The exact names of the GlobalSign Certificates that are governed by this CP are: GlobalSign Public Root CA Certificates • GlobalSign Root CA – R1 with fingerprint EBD41040E4BB3EC742C9E381D31EF2A41A48B6685C96E7CEF3C1DF6CD4331C99 • GlobalSign Root CA – R3 with fingerprint CBB522D7B7F127AD6A0113865BDF1CD4102E7D0759AF635A7CF4720DC963C53B • GlobalSign Root CA – R5 with fingerprint 179FBC148A3DD00FD24EA13458CC43BFA7F59C8182D783A513F6EBEC100C8924 • GlobalSign Root CA – R6 with fingerprint 2CABEAFE37D06CA22ABA7391C0033D25982952C453647349763A3AB5AD6CCF69 • GlobalSign Root CA – R46 with fingerprint 4FA3126D8D3A11D1C4855A4F807CBAD6CF919D3A5A88B03BEA2C6372D93C40C9 • GlobalSign Root CA – E46 with fingerprint CBB9C44D84B8043E1050EA31A69F514955D7BFD2E2C6B49301019AD61D9F5058 GlobalSign Public Non-TLS Root CA Certificates • GlobalSign Client Authentication Root R45 with fingerprint 165C7E810BD37C1D57CE9849ACCD500E5CB01EEA37DC550DB07E598AAD2474A8 • GlobalSign Client Authentication Root E45 with fingerprint 8B0F0FAA2C00FE0532A8A54E7BC5FD139C1922C4F10F0B16E10FB8BE1A634964 • GlobalSign Code Signing Root R45 with fingerprint 7B9D553E1C92CB6E8803E137F4F287D4363757F5D44B37D52F9FCA22FB97DF86 • GlobalSign Code Signing Root E45 with fingerprint 26C6C5FD4928FD57A8A4C5724FDD279745869C60C338E262FFE901C31BD1DB2B • GlobalSign Document Signing Root R45 with fingerprint 38BE6C7EEB4547D82B9287F243AF32A9DEEB5DC5C9A87A0056F938D91B456A5A • GlobalSign Document Signing Root E45 with fingerprint F86973BDD0514735E10C1190D0345BF89C77E1C4ADBD3F65963B803FD3C9E1FF • GlobalSign Secure Mail Root R45 with fingerprint 319AF0A7729E6F89269C131EA6A3A16FCD86389FDCAB3C47A4A675C161A3F974 • GlobalSign Secure Mail Root E45 with fingerprint 5CBF6FB81FD417EA4128CD6F8172A3C9402094F74AB2ED3A06B4405D04F30B19 • GlobalSign Timestamping Root R45 with fingerprint 2BCBBFD66282C680491C8CD7735FDBBAB7A8079B127BEC60C535976834399AF7 • GlobalSign Timestamping Root E46 with fingerprint 4774674B94B78F5CCBEF89FDDEBDABBD894A71B55576B8CC5E6876BA3EAB4538 • GlobalSign IoT Root R60 with fingerprint 319AF0A7729E6F89269C131EA6A3A16FCD86389FDCAB3C47A4A675C161A3F974 • GlobalSign IoT Root E60 with fingerprint 5CBF6FB81FD417EA4128CD6F8172A3C9402094F74AB2ED3A06B4405D04F30B19 The Root Certificates above are Public, WebTrust-audited certificates that are configured for non-TLS use, to cater to GlobalSign’s various product offerings. GlobalSign actively promotes the inclusion of the Root Certificates above in hardware and software platforms that are capable of supporting Certificates and associated cryptographic services according to the specified GlobalSign use case and applicable hardware/software trust bits. Where possible, GlobalSign will seek to enter into a contractual agreement with platform providers to ensure effective Root Certificate life cycle management. However, GlobalSign also actively encourages platform providers at their own discretion to include GlobalSign Root Certificates without contractual obligation. GlobalSign CP (Certificate Policy) 13 of 81 Version: 6.7
You can also read